On Mon, 2009-08-31 at 12:13 -0800, Kevin Miller wrote: > I'm seeing a lot of blowback from Russian servers due to my domain > users being joe-jobbed. > If you're not scanning outgoing mail or mail that doesn't cross the domain boundary, then its reasonable to simply bin anything that claims to be from your domain. Since it didn't originate in your domain the sender must be forged. > I'm writing a rule to check (among other things) the From: address. > Your MTA can probably deal with that without involving SA, but if you want to involve SA, then
describe LOC_FORGED Message with a forged sender header LOC_FORGED From ~= /\.example\.com/m score LOC_FORGED 10.0 should do the trick. Of course, if you also scan outbound and/or intra-domain mail then things get a little trickier... I access my mail archive via a plugin and whitelisting rule that whitelists mail from all senders who: - have previously been sent mail from my domain - are not recorded in the archive as users within my domain Any sender who passes this check is assigned a score of -50.0 by the whitelisting rule. As a result I can be quite vicious with spam detection rules without impacting mail from such correspondents. I hope this gives you ideas about similar approaches. Its working well here. Martin
